Blended DDoS Attacks Grow in Size, Complexity, Frequency: Report

While multi-vector denial of service (DDoS) attacks have been part of the threat landscape for years, these distributed attacks against enterprise networks are increasing in frequency, complexity and size, Arbor Networks’ 11th Annual Worldwide Infrastructure Security Report (WISR) reveals.

According to the report (PDF), 56 of the 354 respondents revealed that DDoS attacks targeted their infrastructure, applications and services simultaneously, up from only 42 percent that indicated the same last year. Furthermore, the report reveals that 93 percent of respondents registered application-layer DDoS attacks, and that these attacks mainly focused on DNS rather than HTTP services.

What should not be surprising, the report also found that DDoS attacks continue to grow in size, with the largest attack reported in 2015 being 500 gigabit-per-second (Gbps), and with 450 Gbps, 425 Gbps and 337 Gbps attacks also spotted.

Nearly one quarter of the service providers surveyed for the report said they observed peak attack sizes over 100 Gbps, which shows a growth in the size of DDoS attacks, as only 20 percent of service providers revealed attacks over 50 Gbps last year. Moreover, the report found that 44 percent of service providers saw more than 21 attacks per month, while 9 percent saw IPv6 DDoS incidents.

Attacks targeting cloud-based services are also on the rise, with 33 percent of respondents indicating such incidents occurred, up from 29 percent last year and 19 percent two years ago. Additionally, 51 percent of data center operators saw DDoS attacks saturating their connectivity, while 34 percent saw outbound attacks from servers within their networks, up from 24 percent last year.

While firewalls should offer protection against DDoS attacks, the report reveals that they often fail to do so, and that more than 50 percent of enterprise respondents said their firewalls failed as a result of a DDoS attack. In fact, firewalls themselves become an attack surface and could become the first victims of DDoS as their capacity to track connections is exhausted, the report said.

According to the survey, 57 percent of enterprises are looking to speed up their incident response processes. Service providers appear interested in reducing the time taken to discover Advanced Persistent Threats (APTs) in their network, with one third saying they reduced it to under one week and 52 percent revealing they can contain the threat in under one month. These numbers from Arbor’s most recent survey appear to be quite optimistic, however. In fact, a previous report sponsored by Arbor Networks, released in May 2015, found that the average dwell time for retail companies – the duration for which attackers go undetected on a network – is roughly 197 days. The financial services industry fared slightly better, with an average time of 98 days.

Based on investigations conducted by Mandiant throughout 2014, the median number of days that attackers were present on a victim’s network before being discovered dropped to 205 days in 2014 from 229 in 2013 and 243 in 2012.

Arbor's most recent survey also found that 75 percent of enterprises developed formal incident response plans in 2015 and dedicated resources to respond to such incidents, up from around two-thirds last year. 17 percent of enterprises are seeing malicious insiders, yet 40 percent of all enterprise respondents still haven’t deployed solutions to monitor BYOD devices on enterprise networks, although 13 percent are reporting security incidents relating to BYOD, up from only six percent last year.

Fewer companies are interested in increasing their internal resources to improve incident preparedness and response, down from 46 to 38 percent, the report shows. However, 50 percent of enterprises and 40 percent of service providers have contracted a third-party for incident response, while 74 percent of service providers say their customers are increasingly demanding managed services.

The survey received responses from 354 entities, including service providers, hosting, mobile, enterprise and other types of network operators from around the world, with 52 percent of respondents being service providers. Enterprises accounted for 38 percent of total respondents, the remaining being non-service provider respondents such as government (6 percent) and education (4 percent).

“A constantly evolving threat environment is an accepted fact of life for survey respondents. This report provides broad insight into the issues that network operators around the world are grappling with.This report underscores that technology is only part of the true story since security is a human endeavor, with skilled adversaries on both sides. This report includes insights into people and process, providing a much richer and more vibrant picture into what is happening on the front lines,” Arbor Networks Chief Security Technologist Darren Anstee said.

At the end of 2015, the BBC network was targeted by the anti-ISIS group called New World Hacking, which claimed they were testing a DDoS tool capable of launching 600 Gbps attacks. Just after Christmas, cloud hosting company Linode registered a series of DDoS attacks, and Steam also revealed that details of roughly 34,000 users were exposed during a DDoS attack on Christmas day.